Substantial changes have occurred in the data processing and computing industry over approximately the past decade. These changes have been driven, in part, by the increasing dominance of networking in general, and of the Internet in particular. In the past many computers were standalone, but today the capabilities and usefulness of many digital devices are substantially enhanced by being interconnected with other digital devices. Packet networks often convey information among computers, even those physically separated by vast distances.
When all is working well, networking provides substantial benefits over computers and other digital devices operating alone. However, networks are themselves vulnerable both to accidental malfunctions and to malicious attacks. Further, networks often expose to a wider audience the vulnerabilities of the digital devices attached to the network. Still further, networks often convey the consequences of a malfunction or attack far beyond the digital device or devices that are the root of the problem. Thus, security and reliability of networks is of the utmost importance.
One known approach to this problem is an access control list (ACL). An access control list stores in a memory a restricted pattern, compares this pattern to the packets traveling across a particular point in a network, and drops any packets that are restricted, that is, that match the restricted pattern. Thus, any problems that would have been created by the restricted packet being received and acted upon are prevented.
Typically, restricted packets can be detected by examining the packet headers. The information required to detect a restricted packet typically includes some combination of data at the international standards organization (ISO) layer 2 (e.g. physical port), layer 3 (e.g. IP source address, IP destination address, or both), and layer 4 (e.g. protocol type, transport layer port, or both). Thus, establishing an effective set of ACLs for a network is a complex and painstaking task that depends on the exact configuration of the network, on the communication protocols used (and not used) on the network, and on the expected use and behavior of the various digital devices on the network.
Further, as the network evolves with additions, simplifications, or reconfigurations any or all of the patterns used in any or all of the ACLs may have to be modified to reflect the new configuration and expectations.